A blog about IP networking, network and system administration, Linux/UNIX programming and testing. The blog also includes some small projects I run in my free time.

Running Dropbox in Firejail Sandbox

This article describes how to move an existing Dropbox installation in a restricted home directory and how to run it inside Firejail security sandbox.

Introducing Firejail

Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. Written in C with virtually no dependencies, it should work on any Linux computer with a 3.x kernel version.

Moving Dropbox in the new home directory

Dropbox software consists of three directories placed in user home: .dropbox, Dropbox, and .dropbox-dist. I kill the running instance of Dropbox, create the new home directory (mybox), and I move the three directories there:

The last step is to change the autostart entry. For this, I open ~/.config/autostart/dropbox.desktop in a text editor and modify Exec line as follows:

Exec=firejail --private=~/mybox "dropbox start -i && sleep inf"

Next computer restart or user login, Dropbox software will start automatically in sandbox with /home/user/mybox as home directory. Personal files in your actual home directory will not be accessible to Dropbox process.

Starting Dopbox manually

You can add a start icon on your desktop:

$ cp ~/.config/autostart/dropbox.desktop ~/Desktop/.

or you can start Dropbox from a terminal:

$ firejail --private=~/mybox "dropbox start -i && sleep inf"

Verifying Dropbox is running

To check if Dropbox is running, use firejail –tree. This will list all the processes running in the sandbox:

Verifying Dropbox is running

1549 is the process id (PID) of the sandbox. You can use this PID value to join the sandbox.

Auditing the sandbox

To do a quick audit, log into the sandbox using firejail –join. Pass the process id of the sandbox (1549) as a parameter to –join option. This opens a regular bash session inside the sandbox. The session has the same restricted view of the system as dropbox process.

Joining the sandbox

The user home directory inside the sandbox has only dropbox files and configuration (ls -al). The process space (ps aux) is restricted to dropbox processes. Some system directories are empty, others are read-only. Seccomp and Linux capabilities filters restrict kernel’s attack surface. All SUID binaries such su and sudo are disabled inside the sandbox.

An include command or something akin to private.keep but with persistent data would be a great addition to firejail. Using this example: You could just point to the three Dropbox folders instead of moving and softlinking them, that would add a great deal of flexibility and ease of use.